The IAB Tech Lab released the first version of technical specs on Monday that publishers and ad tech companies can use to start complying with the California Consumer Privacy Act (CCPA) while transacting via real-time bidding.
The Interactive Advertising Bureau sought public comments for a draft of the compliance framework over a two-week period from late October through Nov. 5. The technical specs are available to implement starting now. The rest of the framework, including a master contract component, will be released in the coming weeks.
The turnaround has to be quick because the CCPA goes into effect in around six weeks. But the framework isn't fly by night. To prepare the specs, the IAB spent the better part of a year convening with lawyers, publishers, ad trade associations and tech companies, meeting with lawmakers in Sacramento and contemplating compliance approaches through an IAB Tech Lab CCPA/US Privacy Technical Working Group, said Michael Hahn, an SVP and general counsel at the IAB.
The finalized compliance framework is largely the same as the draft, which entails a standardized contract that specifies the relationship between publishers and their ad tech partners, coupled with technical specs that allow companies to actually consummate the contract.
The contract, or limited service provider agreement, lays out when a publisher’s downstream partners can and can’t use consumer data in the open bidding ecosystem. If the proper permissions aren’t in place, publishers need a way to prevent their ad tech partners from doing anything with the data that could violate CCPA.
That’s where the specs come in.
The US privacy string, a la the Transparency and Consent Framework (TCF) in Europe, aims to help companies that want to engage in RTB transactions also comply with the law by including a signal as to whether the proper notice was provided to a consumer, whether that person had the opportunity to opt out of the sale of their data – which is required under CCPA – and, lastly, whether the consumer decided to opt out.
The final specs also include a fourth signal, which the IAB Tech Lab added based on feedback, that allows publishers to flag if they’ve signed any IAB limited service provider agreements and whether certain RTB transactions should be subject to those agreements. The idea is to help tech companies further down the chain know what their responsibilities are, particularly when publishers have their own non-IAB contracts in place for CCPA compliance.
Taken together, the specs and the contract are intended to provide “a level of comfort” to publishers, but also to ad tech companies, that the signal being sent down the chain is legit under the law, Hahn said.
Although what it means to be legit under the law is still somewhat of a moving target. The California attorney general’s draft implementation regulations are still out for comment until Dec. 6 and probably won’t be finalized until well into the new year.
But hey, that’s the way it is, and the industry just has to roll with the punches, said Dennis Buchheim, EVP and general manager of the IAB Tech Lab.
“GDPR, and now CCPA, are living beasts, if you will, and we’ll need to continue to watch how they evolve and adapt accordingly,” he said. “TCF V2 was a huge set of changes that we made reacting to implementation and the maturity of GDPR, and I think CCPA will be similar.”
In that vein, the IAB Tech Lab is already mulling a few additions to the framework. One, based on feedback to the draft specs, would be a signal that shows whether a consumer has requested for their data to be deleted. Under CCPA, consumers have the right to ask that their data be deleted under certain circumstances.
Rather than being propagated through the supply chain via the US privacy string attached to every transaction, it would probably make more sense for that information to live higher up the chain with the publisher, Buchheim said. That’s the sort of technical question that comes up in the working group right now.
But there are also other deeper unknowns, such as whether Google will adopt the specs. Google famously dragged its heels on adopting the TCF by repeatedly proposing – and then missing – its own deadlines. Google has since agreed to integrate with the framework by the end of Q1 2020.
Will the US privacy string be different? As often seems to be the case with Google, we’ll just have to wait and see, although Buchheim said that Google has been an active participant in the IAB Tech Lab CCPA/US Privacy Technical Working Group.
“I don’t know all the answers here,” he said, “but so far there’s been good communication, and that’s encouraging to see.”